Glosario
A
Aliases. En la mayoria de casos el nombre general (por ejemplo Klez, Badtrans, Nimda) es idéntico y ya esta presente independientemente de la nombración que le concede la compañía antivírica. Básicamente se diferencian solo los sufijos y prefijos de estos nombramientos y las reglas de su uso pueden ser diferentes en deferentes compañías. Por ejemplo, de acuerdo a la clasificación de Doctor Web, SRL las versiones de uno o otro virus son numeradas, empezando desde 1. Symantex para tal objetivo utiliza las letras titulares del alfabeto ingles.
Anti-antivirus Virus (Retrovirus) — programa virulento con objetivo de atacar anti-virus programas.
Anti-virus Virus programa vírico, que ataca a otros viruses.
Anti-virus programa programa para la búsqueda, diagnosis, prevención y cura de ficheros, contaminados por el virus de computador. En proceso de búsqueda y diagnosis se detectan los ficheros contagiados y el tipo de virus. La profiláctica permite a prevenir la contaminación. La cura sobreentiende eliminación de virus y restablecimiento de ficheros dañados.
Medidas, aplicadas para la prevención, ayudan a detener la infección.
En proceso de desinfección el virus esta eliminado y los ficheros dañados son restablecidos.
Anti-virus escaner a computer program capable of detecting a viral code in the virus infected files with the help of the virus database known to such anti-virus program or a priori assumption of such virus code structure.
Scanners, from time to time, (for example, on the user's request) check certain objects (disks, folders and files as well as main memory and boot sectors) in order to detect the presence of the virus signature.
Applet a Java language class embedded into the document created in HTML language in the form of an executable module .
Applet is downloaded from server to the user's computer as an attached file. Applets are used, for example, for interactive dialogue with users at Web-pages.
Archive file - a result of files compression by archivator.
Un ataque de intermediario — otros nombres: un ataque Man in the middle (MITM), un ataque Man in the Middle Attack (MIMA) — consiste en suplantación, modificación o robo de los datos transferidos por un intermediario (un hacker o un troyano) en el momento cuando los datos ya han sido enviados, pero aún no han sido recibidos. Hay muchas variantes del ataque de intermediario, pero en la mayoría de los casos el mismo se realiza con software nocivo o al interceptar el tráfico, por ejemplo, en las redes inalámbricas disponibles.
Los ataques BadUSB – es un tipo de ataques a equipos usando los dispositivos preparados a propósito que imitan otros dispositivos. Gracias a la entrada USB universal, al conectar el teclado, el ratón u otro dispositivo con el firmware modificado a propósito, los malintencionados acceden a los datos del usuario o a las posibilidades de realizar otras acciones nocivas requeridas.
B
Back-door a computer program which allows an authorised system access or receipt of a privileged function (working mode). Back-doors are often used to compromise the system`s security settings. They do not infect files but modify registry keys.
Background - a task executed by a system imperceptibly for a user. Such tasks acquire lower priority.
Some malicious programs act in the background performing its actions in invisible for a user mode
Batch file - an executable file containing operating system instructions. It usually has a .bat extension and is designed as a text file, every line of which is an operating system command.
It is executed by a command processor.
BEC (Business E-mail Compromises, también CEO fraud, Whaling) — es una opción de estafa cuando los delincuentes intercambian mensajes con directivos de empresas supuestamente en nombre de sus contratistas reales. Su objetivo es persuadir a los directivos de empresas para que los mismos transfieran dinero con requisitos falsificados a la cuenta de los delincuentes o hacerles revelar los datos privados sobre las transacciones o el personal.
Boot virus size. Boot virus head size means a virus body length placed to a boot sector of a diskette or MBR.
Boot virus tail size means a virus body length placed into an empty space of a diskette or a hard disk (such sectors are marked as error sectors).
Bug - any incidental program error both syntactic and semantic.
C
Un cifrador es un tipo de software nocivo usado por los malintencionados para bloquear el acceso del usuario a sus datos al cifrarlos, y luego sigue la etapa de extorsión del dinero por descifrar. Normalmente los cifradores son programas toryanos.
Computer viruses. These are programs or fragments of a program code which, having infected a system can, despite a user's will perform different actions.
They can create or delete objects, modify data files or program files, self-propagate in local drives and computer networks or via Internet. The modification of program files, data files or boot sectors is made in such a way that they themselves become code carriers and can, in its turn, perform the aforesaid actions called infection. These are peculiar features of a computer virus.
Depending upon the infected objects types there are different types of viruses.
D
Daemon — a program performing service functions without a user's request and even invisible for him
Damage. Having hit a computer viruses can perform the following malicious actions.
- Denial of some functions performance during a system work. Errors and malfunction, system hang-up immediately after its reboot.
- Perform actions not determined by a program.
- Destroy files, disks (format disks , delete files).
- Display annoying false message on the computer screen.
- Create audio and video effects (falling-down letters, melody tuning and so on).
- Block access to system resources (increase in size of the infected files because of their multiple infecting, computer work slow-down etc).
One should remember that slight, invisible data files changes present more danger than catastrophic damage incurred to a hard disk or a diskette.
Date and time added to Dr.Web virus database. This means the date and time of an add-on to Dr.Web virus database in which determination of a corresponding virus is given and means of its neutralizing (deletion, disinfecting and so on.) are included. From the time the virus is included into the virus database an anti-virus program can detect the virus and, therefore, neutralize it.
This does not mean that the virus not included into virus database add-on can not be detected by an anti-virus program. Very often a newly appeared virus and by far unprocessed in Anti-virus laboratory of Igor Daniloff is detected by Dr.Web heuristic.
Disquete limpio — es un disquete de arranque con protección contra la escritura; el usuario está seguro de que el mismo no contiene virus.
Dropper - a file-carrier which installs a virus into a system. This technique is used sometimes by virus authors to hide the actual virus from its detection by anti-virus programs.
E
Encrypted viruses these are viruses self-encrypting their virus code in order to make more difficult their disassembling and detection in a file, sector or memory. Each and every copy of such virus contains only a short common set of characters - a decrypting procedure which can be considered as the virus signature.
In case of every infection it automatically encrypts itself and every time the procedure is different. This is the way the virus tries to avoid its detection by anti-virus programs.
Executable file a file ready for processing by the operating system. For example, in MS DOS executable files have extensions .exe, .com and .bat.
Files with extension .exe, and .com are programs.
Files with extension .bat are batch files.
F
File Allocation Table (FAT) - a table designed for a dynamic allocation of a hard drive where cluster is a unit of the memory allotted.
File virus size - actual size of a viral code in bytes which is present in each and every file infected with a certain virus.
G
Guard - a memory resident program controlling operating system sections potentially open for infection with viruses. It comes into action in the moment of the virus intrusion.
The guard detects and blocks attempts of the files infection. In doing this it also detects programs, possibly infected with some virus, which try to perform suspicious actions .
Anti-virus SpiDerGuard is deeply integrated with Dr.Web anti-virus scanner: suspicious programs can be checked "лету" in passing using the whole package of the virus database and its scanning algorithm.
And even more, known for sure infected files can be immediately disinfected.
H
Heuristic. An anti-virus program component. Detects new and unknown before viruses. Heuristic analyzes both files and boot sectors. At heuristic analysis a verification of an executable code of the object examined is carried out and an attempt to detect a presence of characteristic for a virus functions is made.
If heuristic finds suspicious code a message stating a possibility of the infection of the object with unknown virus is displayed to a user. It states also the category this code may belong to. Dr.Web detects the following categories of suspicious objects by its heuristic: COM, EXE, WIN.EXE, TSR, MACRO, BOOT, CRYPT, SCRIPT, BATCH, IRC, WORM.
If at Dr.Web scanner or SpIDer Guard work a message stating a possibility of infecting with one or another category of viruses is displayed we recommend you to send this suspicious object to Doctor Web, Ltd. technical support service for consideration having filled in a special form.
Hidden file - a file which, according to the security policy, is not displayed in the folder files list and is specially marked.
Hoax - a non-viral e-mail message written in a deliberately neutral tone. It contains a notification of a newly spread viral threat.
The majority of hoaxes possess one or several of the below going characteristics.
The virus name the hoax writer refers to does not observe rules of virus naming that are common to anti-virus companies.
The user is asked to find some file in Windows folder and delete it.
He is also asked to pass the warning message over to his friends and all the contacts in his address book.
Such mystification is not harmless yet. The mass-mailing of this useless message increases mail traffic loading and wastes users` time.
Dr.Web database hot adds-on are issued daily or several times per day.
Hyper Text Markup Language (HTML) - a standardized hypertext markup language used in WWW for Web - documents creation and publication.
It possess main functions necessary for hypermedia-documents composition: text formatting, drawings, video and sound and hyperlinks utilization, data search in WWW.
I
J
JavaScript - a script programming language developed by Netscape Communications Corporation. It is compatible with Java programming language. It is used for creation of Web-pages embedded scripts.
K
L
La amenaza del día cero (la vulnerabilidad del día cero, la vulnerabilidad 0-day) — es la vulnerabilidad del software o hardware para la cual aún no están desarrollados los “parches” cuya instalación imposibilita el uso de la amenaza. Como protección contra las amenazas del día cero sirve, en particular, el uso de la protección antivirus que puede interceptar el código nocivo que los malintencionados intentan implementar usando las vulnerabilidades.
La vulnerabilidad es un error de software o hardware que permite que los malintencionados implementen un código nocivo en un programa o sistema vulnerable, intercepten los datos procesados o realicen las acciones nocivas. La vulnerabilidad puede surgir como resultado de configuración errónea del software (por ejemplo, en caso de usar contraseñas débiles) o por causa de errores de desarrolladores del programa que no han previsto algún ataque al mismo.
Logic bomb - a sort of Trojan Horse - a hidden program module embedded into developed earlier and widely used program. Such a module stays harmless till a certain condition upon which it activates (for example, some change in a file or certain date or time arrival).
Logic bombs are used sometimes as a sort of a computer sabotage.
LOLBINs/LOLScripts/LOLLibs (Living Off The Land Binaries/Scripts/Libraries) — son listados de archivos ejecutados de forma legítima, así como de csripts y bibliotecas que no tienen funciones nocivas. Suelen existir en los sistemas atacados y pueden ser usados por los malintencionados para realizar las acciones nocivas.
M
Mail bomb - one enormously huge e-mail message or many (reaching thousands) messages sent to a user`s computer. This may result in the system crash.
Memory resident virus - a constantly present in memory virus written, as a rule, in Assembler or C languages.
Such viruses may cause a substantial infection and successfully oppose some anti-virus programs. Usually they are small in size. They stay always alert to proceed with their predetermined by the virus author task till the system is active, rebooted or switched off. They are activated and perform their malicious task when, for example, a certain condition takes place (a timer works, etc.).
All boot viruses are memory resident.
MtE viruse - a sort of polymorphic viruses created with the help of MtE (Mutant Engine). Such engine presents a special algorithm, responcible for encrypting and decrypting, and a decryptor`s engine which it appends to any object virus code.
Such decryptor is always different and does not have a single constant byte.
N
O
P
Patch - a sequence of instructions supplementing code of the existing program added by the program developer to improve the existing malfunction. Such sequence of instructions is introduced as a separate block or a file to the necessary place where a jump string is placed. Sometimes it serves as a means of an added function to the existing program version before a new version release where this function will be introduced in usual manner.
Plug-in (a plugged-in program) - an auxiliary program performing additional functions in main program. It can be downloaded together with the application and become visible as an option in respective menu. For example, a program of translating from English in Word for Windows.
Polymorphism - a technology with the help of which a virus changes its viral code and different copies of one and the same virus become different and do not coincide in a single of its bytes.
Polymorphic viruses or viruses with self-modified decryptors (as per N.Bezrukov). These are viruses which, in addition to the encryption virus code, utilize a special decrytion algorithm thus changing themselves in every new viral copy. The decryptor is not constant, it is unique for every virus copy.
Port - устройство сопряжения of a central processor or a computer main memory with other devices for data transfer purpose.
Protocol - a set of rules determining devices, programs and data processing systems interaction algorithm.
Protocol POP (Post Office Protocol)- an Internet protocol of dynamic access to a server mail box from a workstation.
Protocol SMTP (Simple Mail Transfer Protocol) - an Internet protocol of dynamic access to the workstation mailbox from a server.
Q
R
Registry - a hierarchical database in which an operating system stores all the system information, namely, the system configuration, various parameters values, information on programs installed, etc. The registry values can be modified by a user in a Regystry Editor window.
Registry key - a record in the registry, a unique identifier of the information stored in the registry.
Revisor - a program which, from time to time, checks changes in potentially infected files comparing all the system parts with standard.
At the beginning Revisor stores files and sectors checksum data and then it verifies the conformity of standard and current checksum data. It comes into action if they do not coincide (in a result of a virus intrusion).
Revisor makes it possible to detect a virus activity after the infection took place and in some cases to restore the files data as it was before the infection.
Still, it can not determine why the changes in the program occurred, either it was damaged with a virus or it was just retranslated.
Program.RemoteBot – detección de aplicaciones destinadas para la administración a distancia de dispositivos en Android. Los programas de esta familia son potencialmente peligrosos porque pueden ser usados para ciberespionaje y supervisar a usuarios en caso de ser instalados sin permiso de titulares de dispositivos.
Estas aplicaciones son capaces de realizar las acciones siguientes:
- interceptar y enviar mensajes SMS;
- supervisar y realizar las llamadas telefónicas;
- recibir el contenido de notificaciones del sistema operativo y otros programas;
- grabar vídeo;
- sacar fotos;
- escuchar el entorno usando el micro del dispositivo;
- supervisar la ubicación del dispositivo;
- realizar varios comandos.
S
Script - a program, a special type of a program code written as a rule in interpertable (non-compiling) language and containing commands-instructions.
Script virus - viruses written in Visual Basic, Basic Script, Java Script or Jscript languages.
They usually come to the users` computers in the form of e-mail messages containing attachments with script files.
Programs written in Visual Basic and Java Script languages may come as separate files or be embedded into an HTML-document. In such case they will be interpreted by a browser either from a server or from a local disk.
El software nocivo (inglés malicious software) — es cualquier software instalado en los equipos y dispositivos sin autorización del usuario, o el software que realiza las acciones deliberadamente nocivas, así como las acciones distintas de las descritas en la documentación.
El software de publicidad, o Adware (de inglés advertisement — «publicidad» y software — «software») — es un tipo de software nocivo que sirve para la visualización de la publicidad no autorizada y para recabar la información sobre los usuarios. Las acciones típicas del software de publicidad es la suplantación de la página de inicio en el navegador, la suplantación de la configuración de acceso a Internet, el cambio de diseño de los sitios web consultados por el usuario, la redirección del usuario a los sitios web de publicidad, la recopilación del historial de las páginas consultadas por el usuario en el equipo y el envió del mismo al servidor del malintencionado.
Shareware soft - a computer software released for free evaluation but программное обеспечение, но предполагающее оплату его автору.
If, after a trial evaluation, a user does not want to utilize this software he must delete it from the computer.
Unauthorized software usage без оплаты автору is considered pirating.
Stealth virus - a virus program undertaking special steps to disguise its activity in order to hide its presence in the infected objects. So-called "stealth" technology makes difficult:
- A virus detection in operating memory
- Virus tracing and disassembling
- Virus detection in an infected program or a boot sector.
System file - a file containing one of the operating system's modules or a set of data used by such system.
T
Target file formats
- .bat - batch file format
- .bin - binary file format
- .com - command file format, a sort of an executable, can not exceed 64 Kb.
- .dll - dynamic link library file format
- .elf - executable file format in OS Linux/UNIX
- .exe - executable file format
- .ini - configuration file format
- .sys - system file format
Time bomb - a sort of logic bombs where a hidden module is activated at specific time.
Trojan Horse - a computer program containing a hidden module which performs unauthorized by a user actions at his computer. These actions may be nondestructive, still, they may cause substantial harm to a system.
Trojan programs - vandals misplace one of often run programs, perform its functions or imitate such performance, carry out different malicious actions -delete files, folders, format disks, send passwords or other confidential information from the user's computer.
Trojan programs became widely spread due to BBS appearance. Some Trojan Horses can contain mechanism of updating of its components via Internet.
Types of viruses. Depending on the infected object type all computer virus programs can be classified according to the following types:
- File viruses - viruses infecting binary files (as a rule they are executable files or dynamic link library files). Often such files have extensions .EXE, .COM, .DLL, .SYS. They can also infect files with extensions .DRV, .BIN, .OVL and .OVY.
These viruses embed into system files, activate at the infected program run and then propagate.
- Boot viruses - viruses infecting Boot records of diskettes, hard drives sections and hard drives MBR (Master Boot Record).
- Macroviruses - viruses infecting document files utilized by Microsoft Office applications and other programs containing macrocommands (usually written in Visual Basic language).
A favourable factor for such viruses spreading is the fact that all the main Microsoft Office components may contain embedded programs (macroses) written in full-functional programming language and in Microsoft Word these macroses are automatically run when you open, close, store or create any document.
Besides, there is a so-called global template NORMAL.DOT in which macroses can be automatically run when you open any document. As copying of macroses from one document to another (and into a global template as well) is made with a single key stroke Microsoft Word environment is ideal for existence of macroviruses such as W97M.Thus.
Los troyanos sin cuerpo (sin archivo) son los programas nocivos que no guardan su “cuerpo” como archivo en el equipo atacado, lo cual les permite ocultarle al usuario su presencia en el sistema. Con mucha frecuencia, los troyanos sin archivo se ocultan en el registro. Aunque los programas troyanos de este tipo no tienen archivo, las amenazas sin archivo se detectan correctamente por el antivirus Dr.Web que escanea todas las áreas donde puede esconderse el software nocivo.
U
V
Variant - a modified variant of one and the same virus. Alterations to a viral code can be introduced both by the virus author and by a strange person as well.
VBScript - a scripts programming language developed by Microsoft Corporation. It represents a Visual Basic language family designed for creation of scripts embedded into Web-pages. It is supported by MS Internet Explorer browser.
Virus-companion - belong to file viruses.
Such viruses make use of DOS peculiarity allowing program files with the same name but different extensions run with various priority.
By priority they mean a sign given to a task, a program or an operation determining the sequence of their execution by a computer.
Most of such viruses create a .COM-file which possesses higher priority than .EXE-files with the same name. If you run a file indicating just its name (without mentioning its extension) a .СОМ.-file will be run.
Such viruses can stay resident and masquerade двойники-files.
Viral code (Signature) - a system of symbols and uniform rules of their interpretation used to represent the information in the data form. It presents a sequence of symbols and bytes which, as supposed, are peculiar and therefore can be detected in one definite virus, in each and every of its copies but only in it. Anti-virus scanners use viral code for a virus detection.
Polymorphic viruses do not have signatures.
Virus database of Dr.Web - contains information on the viral codes fragments (signatures) known to such anti-virus program. It also stores all the necessary data for recovering (disinfecting) of the damaged with a virus objects.
What is the most important of an anti-virus? Its ability to protect against viruses. This protection is secured, among other conditions, by adding the virus entries (signatures) to the base allowing to detect viruses. But the quantity of entries included in the base says nothing about the ability of an anti-virus program to detect viruses.
The virus base of each anti-virus program has its own structure. Not all viruses are unique. There are families of related (similar) viruses, there are viruses designed by special virus constructors- programs for creation of viruses. All of them are very similar. Some developers of anti-virus programs name each such virus with separate entry, which increases the size of the virus base. The Dr.Web virus bases is designed differently; a single entry in it allows to detect tens, or hundreds, or even thousands similar viruses. Even smaller number of virus entries, comparing to some other anti-virus programs, allows to detect with great likelihood yet unknown viruses (not included into the virus base), which will be created on the basis of already existing viruses.
Let us summarize what a user benefits from the small size of the Dr.Web virus base
- It spares space on the hard drive
- It spares main computer memory resources
- It spares Internet traffic when downloading the updates
- It provides for quick installation of the virus base and its processing when
- analyzing viruses
- It allows to detect viruses which will be created in future by modifying the existing viruses
Virus infected attachments formats
Visual Basic language - a high level programming language developed by Microsoft Corporation.
W
"Wild" - "Wild" - a computer environment. An expression "a virus "in the wild" means that such a virus have caused computers or sites infection outside an anti-virus laboratory.
A "wild virus" list made up by Joe Wells contains a list of most frequently met viruses on computers all over the world.
Worm-virus - a parasitic program capable of self-propagation. It can spread copies of itself but can not affect other computer programs.
It propagates via e-mail (often in the form of an attachment to an e-mail message of via Internet) and mass-mails its malicious copies to other computers.
X
Y
Z
Zoo-virus - a virus existing only within anti-virus laboratories, in virus researchers` collections and is not met in the "wild".